Frontline Enterprise Security

Presented by:

Michael Weaver, CISSP, QSA

Sword & Shield Enterprise Security

October 6, 20151

2

Who am I?

• Senior Enterprise Consultant at Sword & Shield

• Started “hacking” around the age of 12 on a Windows 3.11 machine using a 14.4k modem

• Started a professional IT career doing systems and network administration in 2002

3

What does a S&S Enterprise Consultant do?

• Audits and assessments on compliance standards, technology configuration, and information security best practices

• Advisement on business decisions related to information security

• Supplement information security staff to assist with projects, technology, training, etc.

• Draft, review, and revise policies

• Training on technologies, compliance, and general security concepts

4

Audits

5

What Kind of Audits? • FISMA, GLBA, HIPAA, ISO 27001 and SOX gap analysis

• Gap Analysis – How close are you to adhering to the compliance framework?

• PCI compliance• Compliance – The governing authority recognizes that you

are meeting or exceeding the requirement of the standard.

• Risk Assessments based on NIST 800-30• Assessment – Applying my knowledge and expertise to

evaluate your organization according to NIST and other standards. How well is your organization protected from actual threats and how likely are they?

6

Evidence• Policies and Procedures to show that the organization has set

expectations and communicated them to the appropriate parties.

• Standard sets of supporting documents, such as diagrams, logs, screen shots, configuration files, etc., are requested in every engagement. However, I dig a lot deeper when you make extraordinary claims or hide something.

• Interviews with people who setup the controls protecting the information.

• Observations of the work areas and the “secure” areas where the information is stored, processed, or transmitted.

• Verification through action.

7

Typical Compliance and Security Issues• Policies and procedures

– Are they kept up-to-date? – Are they known throughout the organization?– Are they followed?

• Giving people higher privileges than they need.– Local Admin rights – STOP THIS!

• Not reviewing, collecting, keeping, alerting, and responding to security events.

• Not Staying current on patches or having a well developed plan to patch everything in your environment.

• Training

• Service Accounts. Lock them down. Yes, you need to change the password, but possibly not as often as normal user accounts.

• Letting your data walk out the door and letting people bring anything in.

• Having exceptions to the rules, but only if they promise to be safe.

8

Getting to the Information without “Hacking”

• Physical methods - social engineering, tailgating, phishing, just taking the information, unlocked computers in public area, or taking pictures or videos (office windows).

• Using passwords that should have been changed or accounts that should have been disabled.

• Having exposed information. BYOD, missing or incorrectly configured security controls (VLANs), removable media, Outlook Anywhere, and using cloud storage or services.

• Sharing passwords or letting other people use your computer or device.

9

How to Resolve the Issues

10

Technology Solutions• Basic Firewall• Web Application Firewall• Multifactor• Biometric• Web Filter• MSSP/SIEM• DDoS Mitigation• Mobile Device Management• Password Management• Update Management• IDS/IPS

• Backup Solutions• Email Archiving• DR Sites• Whitelisting• Enterprise Wireless• Data Loss Prevention• Vulnerability Scanning• Secure File Transfer• NAC• Inventory Management• FIM

11

Steps to Success1. Senior leadership within the organization must understand and

support security decisions or they will fail.2. Everyone in the organization must know their responsibilities

and ownership in the security program. 3. You need visibility and knowledge of how information flows

through the business.4. Identify and address all risks to your information. All identified

risks will be accepted, avoided, mitigated, or transferred.5. Develop a security plan and set goals to obtain a strong security

posture.6. Get help when you need it. Training, 3rd parties, and additional

staff can provide additional knowledge, expertise, and resources.

12

Questions?

13

Thank you!